The flaw -- dubbed Fake ID by Bluebox Labs, who discovered it -- dates back to January 2010 and was introduced to the platform by code from the now defunct Apache Harmony module. It affects Android versions 2.1 to 4.3; Google fixed the vulnerability in April's KitKat release. However, according to Google's reports, approximately 82% of Android devices still operate on vulnerable platforms.

The Android vulnerability occurs when a malicious app uses a trusted app's ID -- its digital signature. In the Bluebox blog, CTO Jeff Forristal used Adobe Systems for an example: Adobe has its own digital signature, and all programs from Adobe use an ID based on that signature. Because Android grants Adobe special privileges, any app or program using an Adobe ID bypasses security checks and is inherently trusted.

An app impersonating Adobe by using its ID can potentially infiltrate and wreak havoc on a device -- and the OS and user wouldn't know the difference. Forristal also noted two other possible risk scenarios, including an app impersonating Google Wallet's signature to access a device's Near Field Communication chip to collect financial, payment and other confidential user data, and an app using 3LM software's ID -- a now defunct skin manufacturer -- to take control of a device and implant malware on it.

The issue is not confined to a single company, app or signature, and in many cases, even device management software can be fooled if it is not up to date.

The flaw was reported to Google by Bluebox in March of this year, and Google promptly released and distributed a patch in April to manufacturers, Android partners and the Android Open Source Project, with manufacturers having 90 days to implement it. Google also claims the security of Google Play and Verify Apps has been updated to detect the issue. "At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability," Google noted in a statement.

Protecting users and BYOD employees from the Fake ID vulnerability requires smart decision-making when it comes to downloading apps. Only download approved apps from the Google Play Store and never enable apps from untrusted sources. Up-to-date antimalware software should also detect the flaw.

In other news

Officials from the Tor Project reported that an attack on the anonymous network could have potentially affected and uncloaked users over a five-month period, from February 2014 to July 4, 2014.According to Tor's official release, "It's still unclear what 'affected' means." The network believes a combination of traffic confirmation and Sybil attacks was used, and is urging its users to upgrade to Tor release 0.2.4.23 or 0.2.5.6-alpha.

Canadian officials announced "a highly sophisticated Chinese state-sponsored actor" hacked into Canada's National Research Council (NCR) network, putting scientific and trade secrets -- as well as employee and client data -- at risk. Chinese embassy spokesperson Yang Yundong stated that "the Chinese government has always [been] firmly opposed to and combated cyberattacks in accordance with the law. In fact, China is a major victim of cyberattacks." In a statement regarding the breach, NRC said it is in the process of creating a new, more secure IT infrastructure, which could take up to one year to complete.

1 comment

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy